DevSecOps Best Practices
by John M. Willis, Turnaround Security

This is to present v.0.1 (12/22/2017) of the DevSecOps Best Practices, as created by John M. Willis, the security guy in Washington, DC (not to be confused by the other John Willis who is co-author of the DevOps Handbook). John M. Willis has over 10 years of Configuration Management Build and Release Management and Engineering consulting experience prior to his becoming more focused on cyber security beginning in 2007.

These best practices were culled from a number of resources and combined with the experience of the author.

No attempt is made to assign any Capability or Maturity Level, nor to create any type of model—at this time. It is expected that those organizations developing software apply these best practices as appropriate to the business/mission, balanced with both strategic business risk (legal) as well as technical operational risk. In any event, the expectation is to try to apply all of them to the maximum extent practical.

No copyrights are claimed for the best practices as the author feels they should be community developed, supported and maintained. To provide feedback to incorporation into the body of knowledge supporting these DevSecOps Best Practices, please contact

Stay tuned, as eventually a more extensive resource covering each Best Practice will be made available.

BP # Description
DSO1 Establish a Secure Software Development Lifecycle Process
DSO2 Incorporate gating criteria in automation
DSO3 Establish Secure Coding Standards
DSO4 Include the security team representative in code reviews
DSO5 Perform in-depth security review of high-risk code/applications
DSO6 Create library of approved security software for reuse (reference architecture)
DSO7 Create technical hardening standards
DSO8 Implement technical hardening standards in baselines
DSO9 Monitor hardening implementations for integrity, and patches being current
DSO10 Implement version control, supporting parallel development (bugfix, multiple versionns, product variants) as needed
DSO11 Implement change control and approval process
DSO12 Require approved change request number on file check-in (for code and documentation)
DSO13 Track location of all installed instances of configuration items and their version numbers (and serial numbers, if applicable)
DSO14 Require comments at code check-in for use in preparing release notes
DSO15 Automate the build process
DSO16 Standardize installation and configuration processes
DSO17 Automate installation and configuration procedures
DSO18 Require unit test success as pre-condition to code check-in (code includes configuration files)
DSO19 Include security team representative in detailed design of all security functionality
DSO20 Prepare test cases for error and boundary conditions, and security functionality
DSO21 Automate testing for error and boundary conditions, security functionality, and functional requirements (Test-Driven Development)
DSO22 Incorporate security static code analysis at developer desktop (IDE)
DSO23 Incorporate security static code analysis on code check-in
DSO24 Include security group in approval of architectural frameworks
DSO25 Perform Dynamic Application Security Testing (DAST)
DSO26 Automate Dynamic Application Security Testing (DAST)
DSO27 Require Risk Questionnaire for each new release
DSO28 Aggregate operational errors with security log information
DSO29 Perform Threat Modeling review
DSO30 Manage third party software approvals and vulnerabilities
DSO31 Automatically merge production fixes and parallel release changes to main line of development code
DSO32 Actively manage merges of product variant code
DSO33 Manage design and operation of container security
DSO34 Secure the pipeline infrastructure and applications
DSO35 Actively manage security and operations of microservices
DSO36 Consider use of a Web Application Firewall (WAF)
DSO37 Incorporate Runtime Application Self-Protection (RASP) for web/server applications and similar applications for desktop, as appropriate
DSO38 Ensure segregation of duties as part of continuous delivery

I look forward to your feedback!

– John